CVE Catalog

CVE-2026-48732

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.01%

59th percentile - higher than 59% of all known CVEs

Summary

Warp contains a command injection issue in the legacy SSH background command path in versions from 0.2023.03.21.08.02.stable_00 to 0.2026.05.06.15.42.stable_01. An attacker can exploit a remote directory to execute additional shell syntax on the remote host as the victim's authenticated SSH account.

Risk Assessment

Exploitation of this vulnerability may lead to unauthorized command execution on the remote host, posing a serious threat to the security of the organization's data and systems.

Recommendation

It is recommended to update Warp to version 0.2026.05.06.15.42.stable_01 or later to mitigate this vulnerability.

Original NVD description (English source)

Warp is an agentic development environment. From 0.2023.03.21.08.02.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection issue in the legacy SSH background command path. Warp used the remote working directory reported by the session when building helper commands for SSH-backed metadata collection. A remote host, repository, or directory name controlled by an attacker could cause that helper command to execute additional shell syntax on the remote host as the victim's authenticated SSH account. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS